GENERATORS OF JACOBIANS OF HYPERELLIPTIC CURVES 



CHRISTIAN ROBENHAGEN RAVNSH0J 



Abstract. This paper provides a probabilistic algorithm to determine gene- 
rators of the m-torsion subgroup of the Jacobian of a hyperelliptic curve of 
genus two. 



1. Introduction 

Let C be a hyperelliptic curve of genus two defined over a prime field Fp, and Sc 
the Jacobian of C. Consider the rational subgroup Sci^p)- 3c0^p) is a finite 
abelian group, and 

3c(^p) - Z/niZ © Z/nsZ © Z/ngZ © Z/n^Z, 

where rii \ n^+i and n2 | P — 1- Frev and Riickl (1994) shows that if to | p — 1, 



then the discrete logarithm problem in the rational m-torsion sub group 3c (F„ 



of Sc i^v) can be reduced to the corresponding problem in (jFrev and Riick 



TO 



19941 . corollary 1). In the proof of this result it is claimed that the non-degeneracy 



of the Tate pairing can be used to determine whether r random elements of the 
finite group 3c(Fp)[to] in fact is an independent set of generators of 3c(Fp)[to]. 
This paper provides an explicit, probabilistic algorithm to determine generators of 
3c{¥p)[m]. 

In short, the algorithm outputs elements ji of the Sylow-^ subgroup of the 
rational subgroup F — 3c(^p), such that Tg = ®j(7i) in the following steps: 

(1) Choose random elements 7^ S F^ and hj G 3c{^p), hj G {Ij ■ • ■ i4}. 

(2) Use the non-degeneracy of the tame Tate pairing r to diagonalize the sets 

and {hj}j with respect to r; i.e. modify the sets such that T{'-fi,hj) = 
1 if i j and r(7i, hi) is an root of unity. 

(3) If U^ hi\ < \^e\ then go to stepffl 

(4) Output the elements 71, 72, 73 and 74. 

The key ingredient of the algorithm is the diagonalization in step [21 this process 
will be explained in section [H 

We will write (7i|i G /) = (7^)^ and ©jg/(7i) = ®i(7i) if the index set / is clear 
from the context. 



2. Hyperelliptic curves 

A hyperelliptic curve is a smooth, projective curve C C P" of genus at least 
two with a separable, degree two morphism : C ^ P^. In the rest of this 
paper, let C be a hyperelliptic curve of genus two defined over a prime field ¥p 
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of characteristic p > 2. By the Riemann-Roch theorem there exists an embedding 
i/i : C ^ , mapping C to a curve given by an equation of the form 



wher e / e ¥p[x] is of degree six and have no multiple roots (see Cassels and Flyniil . 
1996I . chapter 1). 



The set of principal divisors J'(C) on C constitutes a subgroup of the degree zero 
divisors Divo(C). The Jacobian 3c of C is defined as the quotient 

gc =Divo(C)/J'(C). 

Consider the subgroup dci^p) < 3c of Fp-rational elements. There exist num- 
bers rii, such that 

(1) ac(Fp) ~ Z/niZ © Z/naZ ® Z/ngZ © Z/n^Z, 

where Ui \ rn+i and n2 | p — 1 (see Frey and Langd . 2Q06I . proposition 5.78, p. Ill) 



We wish to determine generators of the m-torsion subgroup 3c(Fp)[to] < 3c (Fp), 
where m \ |3c(Fp)| is the largest number such that (.\p—l for every prime number 

£ I TO. 

3. Finite abelian groups 



Miller! (|20Q4 ) shows the following theorem. 



Theorem 1. Let G he a finite abelian group of torsion rank r. Then for s > r the 
probability that a random s-tuple of elements of G generates G is at least 

Gf 



log log I G| 



if s — r, and at least Gs if s > r, where Gg > is a constant depending only on s 
( and not on \G\). 



Proof. (|Milleil . Eool theorem 3, p. 251) □ 



Combining theorem [T] and equation H]), we expect to find generators of r[TO] by 
choosing 4 random elements 7i S r[TO] in approximately I^^I"'! attempts. 

To determine whether the generators are independent, i.e. if (7^)^ — 0^(7^), we 
need to know the subgroups of a cycHc £-group G. These are determined uniquely 
by the order of G, since 

{0} < r-^g) < {t-^g) <■■■< (ig) < G 

are the subgroups of the group G — (g) of order The following corollary is an 
immediate consequence of this observation. 

Corollary 2. Let Ui and U2 be cyclic subgroups of a finite group G. Assume Ui 
and U2 are i-groups. Let (ut) < Ui be the subgroups of order £. Then 

UinU2 = {e} ^ (mi) n {U2} = {e}. 

Here e G G is the neutral element. 
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4. The tame Tate pairing 

Let r — 3c(]Fp) be the rational subgroup of the Jacobian. Consider a number 
A I gcd(|r|,p — 1). Let g £ r[A] and h = J2i o-iPi £ L be divisors with no points in 
common, and let 

h e r/AL 

denote the class containing the divisor h. Furthermore, let / G Fp(C) be a rational 
function on C with divisor div(/) = \g. Set f{h) = J], f{PiT'- Then 

ex{g,h) = f{h) 

is a well-defined pairing r[A] x F/AF — > / (F^ )^ , the Tate pairing; cf. GalbraithI 

A 



(|2005f ). Raising to the power ^^-^ gives a well-defined element in the subgroup 



/iA < IFp of the a"' roots of unity. This pairing 

TA : F[A] X F/AF fix 

is called the tame Tate pairing. 

Since the class h is represented by the element ft. £ F, we will write Tx{g,h) 
instead of ta(5', h). Furthermore, we will omit the subscript A and just write T{g, h), 
si nce the valu e of A will be clear from the context. 

HessI ()2004h gives a short and elementary proof of the following theorem. 



Theorem 3. The tame Tate pairing t is bilinear and non-degenerate. 

Corollary 4. For every element g ^ T of order A an element h E T exists, such 
that fix = {T{g, h)). 

Proof. ( Silvermanl . llQSd corollary 8.1.1., p. 98) gives a similar result for elliptic 



curves and the Weil pairing. The proof of this result only uses that the pairing is 
bihnear and non-degenerate. Hence it applies to corollary IH □ 

Remark 5. In the following we only need the existence of the element /i S F, such 
that — {T{g, h))\ we do not need to find it. 

5. Generators of T[m] 

As in the previous section, let F = 2ic{^p) be the rational subgroup of the 
Jacobian. We are searching for elements 7i G F[m] such that F[to] = ©j(7i). As 
an abelian group, F[to] is the direct sum of its Sylow subgroups. Hence, we only 
need to find generators of the Sylow subgroups of F[m]. 

Set N = |F| and let I \ gcd{N,p — 1) be a prime number. Choose four random 
elements 7i S F. Let F^ < F be the Sylow-^ subgroup of F, and set Ni = \Ti\. Then 
■^Ji S Ff. Hence, we may assume that G F^. If all the elements -fi are equal to 
zero, then we choose other elements 7^ € F. Hence, we may assume that some of 
the elements 7^ are non-zero. 

Let |7i| — Xi, and re-enumerate the 7i's such that A^ < A^+i. Since some of the 
7i's are non-zero, we may choose an index v < such that ^ 1 and Ai = 1 for 
i < V. Choose Ao minimal such that A = ^ | p — 1. Then Fp contains an element 

C of order A. Now set gi = 4f7i, v < i < A. Then g^ e F[A], < i < A. Finally, 
choose four random elements hi G F. 
Let 

T : F[A] X F/AF {() 
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be the tame Tate pairing. Define remainders modulo A by 

By corollary m for any of the elements gi we can choose an element /i G F, such 
that |r((7i,/i)| ~ X. Assume that F/AF = {hi, h2, h^, . Then h — J^ili^i^ 

T^g h) = (^'^ii1i+<^i2q2+ai3q3+ai4q4 

Ua^j = (mod £), 1 < j < 4, then \T{g,, < A. Hence, if F/AF = (hi,h2,h3,hi), 
then for aWi G {u, . . . , 4} we can choose a j € {1, . . . , 4}, such that aij ^ (mod £). 

Enumerate the hi such that 044 ^ (mod £). Now assume a number j < 4 
exists, such that Q!4j ^ (mod A). Then C""^ — C^^"**, and replacing /ij with 
hj — Pih4 gives a4j = (mod A). So we may assume that 

q;4i = a42 = 0:43 = (mod A) and q;44 ^ (mod £). 

Assume similarly that a number j < 4 exists, such that aj^ ^ (mod A). Now 
set P2 = Oi^lciji (mod A). Then T{gj — P294, h^) — 1. So we may also assume that 

q;i4 = a24 = 0^34 = (mod A). 

Repeating this process recursively, we may assume that 

aij = (mod A) and 044 ^ (mod £). 

Again v < i < A and 1 < j < 4. 

The discussion above is formalized in the following algorithm. 

Algorithm 1. As input we are given a hyperelliptic curve C of genus two defined 
over a prime field Fp, the number N — |F| of Fp-rational elements of the Jacobian, 
and a prime factor £ \ gcd{N,p— 1). The algorithm outputs elements 7^ € Ti of the 
Sylow-£ subgroup F^ of F, such that — 0j(7i} in the following steps. 

(1) Compute the order Ni of the Sylow-£ subgroup of F. 

(2) Choose elements 7, G F, i e / {1,2,3,4}. Set 7^ := ^7i. 

(3) Choose elements hj eT, j e J := {1, 2, 3, 4}. 

(4) Set K {1,2,3,4}. 

(5) For k' from to 3 do the following: 

(a) Set k := 4- fc'. 

(b) If 7j = 0, then set / := / \ {i}. If |/| = 0, then go to stepH 

(c) Compute the orders A^ := |7k|, « G K. Re-enumerate the 7k's such 
that A« < Ak+1, kGK. Set / {5 - |/|, 6 - |/|, . . . , 4}. 

(d) Set := min(/), and choose Aq minimal such that A := \ p—l. Set 

9n ■■= ^7n, KGlnK. 

(i) If gk = 0, then go to step [6l 

(ii) If T(gfc, hj)^/'^ = 1 for all j < k, then go to stepH 

(e) Choose a primitive A*^ root of unity ^ G IFp- Compute atj and a^k 
from T{gk,h,) = C and T{g^,hk) = (""N I < J < k, k G I r\ K . 
Re-enumerate hi, . . . ,hk such that akk ^ (mod £). 

(f) For 1 < j < /c, set /3 = a~il^oikj (mod A) and hj := hj — (3hk. 

(g) For K e / n X \ {k}, set (3 = alla^^k (mod A) and 7„ := 7„ - P^lk- 

(h) Set K -.^KXik). 

(6) Output 71, 72, 73 and 74. 
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Remark 6. Algorithm [T] consists of a small number of 

(1) calculations of orders of elements 7 G F^, 

(2) multiplications of elements 7 € F with numbers a £ Z, 

(3) additions of elements 71, 72 G F, 

(4) evaluations of pairings of elements 71 , 72 G F and 

(5) solving the discrete logarithm problem in Fp, i.e. to determine a from C 
and C = C"- 

By ( Millerl . [2004l . proposition 9), the order I7I of an element 7 G F^ can be calculated 
in time 0(log^ N£)Ar, where Ar is the time for adding t wo elements of F A mu ltiple 
07 or a sum 71 + 72 is computed in time 0{Ar)- By Frev and Riickl 1 1994 ). the 
pairing •7"( 7i,72) of two elements 71 , 72 G F can be evaluated in time 0(log7V^). 
Finally, by IPohlig and HellmannI ljl978l l the discrete logarithm problem in ¥p can 
be solved in time 0{\ogp). We may assume that addition in F is easy, i.e. that 
Ar < O(logp). Hence algorithm [T] runs in expected time 0{\ogp). 

Careful examination of algorithm [1] gives the following lemma. 

Lemma 7. Let Ti be the Sylow-i subgroup ofT,£\p~l. Algorithm]^ determines 
elements ji G F^ and /i^ G F, 1 < i < 4, such that one of the following cases holds. 

(1) aiiQ!22Q:33a44 ^ (mod £) and aij = (mod A), i 7^ i, j G {1, 2, 3, 4}. 

(2) 71 = 0, a22Q!33a44 ^ (mod £) and aij = (mod A), i 7^ j, i,j G {2,3,4}. 

(3) 71 = 72 = 0, 033044 ^ (mod £) and aij = (mod A), i ^ j, i,i G {3,4}. 

(4) 71 = 72 = 73 = 0. 

If — '^i; then Xi < Xi+i. Set v — min{i|Ai 7^ 1}, and define Aq as the least 
number, such that A = ^ \ p — 1. Set gi ~ ^li, v <i < ^. Then the numbers Uij 
above are determined by 

T{g,,hj) = c"'^ 
where t is the tame Tate pairing F[A] x F/AF ^\ = {(). 

Theorem 8. Algorithm[I\ determines elements 71, 72, 73 and 74 of the Sylow-l 
subgroup ofT,£\p~l, such that — ©^(7?:). 

Proof. Choose elements 7i, /li G F such that the conditions of lemma [7] are fulfilled. 
Set Xi — |7i|, and let ly — min{z|Ai ^ 1}. Define Aq as the least number, such that 
A = I p — 1. Set gi — Then the cty's from lemma [7] are determined by 

T{g,,h,) = C'^. 

We only consider case [T] of lemma [7l since the other cases follow similarly. We start 
by determining (73) n (74). Assume that 33 = 034. Then 

l = r(53>4)=r(ag4,/i4) = C"", 
i.e. a = (mod A). Hence (73) fl (74) = {0}. Then we determine (72} H (73,74). 
Assume 32 = 0,93 + ^34- Then 

1 = T(52,/13)-T(a<?3,/13) = 0% 

i.e. a = (mod A). In the same way, 

l = r(g2,M = C''"", 
i.e. 6 = (mod A). Hence (72) n (73,74) = {0}. Similarly (71) n (72,73,74) — {0}. 
Hence (7,)» = ©,(7«)- □ 
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From theorem [8] we get the following probabiHstic algorithm to determine gene- 
rators of the m-torsion subgroup r[m] < F, where m | |F| is the largest divisor of 
|F| such that £ \ p — 1 for every prime number £ \ m. 

Algorithm 2. As input we are given a hyperelliptic curve C of genus two defined 
over a prime field Fp, the number N = |F| of Fp-rational elements of the Jacobian, 
and the prime factors pi, . . . ,pn of gcd{N,p — 1). The algorithm outputs elements 
7i G F[m] such that F[m] = 0j(7i) in the following steps. 

(1) Set 7» := 0, 1 < i < 4. For £ e {pi, . . . ,p„} do the following: 

(a) Use algorithm [T] to determine elements 7i G F^, 1 < i < 4, such that 

(b) If Hi 1 7i I < then go to stepfTal 

(c) Set 7i := 7i + 7j, 1 < i < 4. 

(2) Output 71, 72 , 73 and 74. 

Remark 9. By remark[6l algorithm [2] has expected running time 0{\ogp). Hence 
algorithm [2] is an efficient, probabiHstic algorithm to determine generators of the 
m-torsion subgroup F[m] < F, where m \ |F| is the largest divisor of |F| such that 
£ \ p — 1 for every prime number £ \ m. 

Remark 10. The strategy of algorithm[l]can be applied to any finite, abelian group 
F with bihnear, non-degenerate pairings into cycHc groups. For the strategy to be 
efficient, the pairings must be efficiently computable, and the discrete logarithm 
problem in the cyclic groups must be easy. 
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